Intrusion detection systems are used by an enterprise to detect and identify unauthorized or unwanted use (commonly called an attack) of the enterprise's computer network, which normally comprises a large number of nodes and network operations centers (NOCs). In general, these enterprise intrusion detection systems scan incoming data for specific patterns in network traffic, audit trails, and other data sources to detect malicious activity. Due to the large quantity of data, conventional intrusion detection systems often use many analysts to evaluate network data with various tool implementations for identifying the patterns, such as finite state machines, simple pattern matching, or specialized algorithms.
But conventional intrusion detection systems (IDSs) are not easily scalable across enterprises. For many of these systems, this lack of scalability is due to the large number of skilled analysts required to detect and monitor intrusions. For example, these systems may have a maximum scalability of one analyst/one hundred nodes or sensors. In short, to further scale the conventional IDS though additional nodes, the enterprise must hire additional expensive analysts.